Group Policy Preferences' (GPPs') abilities to eliminate your login scripts and bring customizable control to your user's workspace make it an exceptionally useful tool. Its no-added-cost price point accentuates that usefulness, most especially in today's "use what you already have" economy. Yet it can be argued that GPP's greatest power has yet to be discussed. That power comes in complete control over the applications that make up your environment.
One of the long-held limitations with traditional Group Policy related to the types of elements that it could configure. Right out of the box and without custom coding, traditional Group Policy could easily customize Windows settings. But its capabilities were relatively limited to just those configurable elements that Microsoft made natively available. Controlling the configuration of Internet Explorer was possible because IE is a Microsoft product, and as such templates for its configuration are provided. But if you needed to control the configuration of WinZip, or Adobe Reader, or the last article's home-grown CustomerApp application, you were forced to code your own template files or do without.
This problem goes away with GPPs. Creating a preference setting using Group Policy Preferences creates a container in which multiple custom configurations can be entered: Files can be added to computers, INI files can be modified, and even registry keys can be altered to suit your needs.
This customizability grows exceptionally useful when you align their capabilities with how most applications store their configurations. Think for a minute about the applications in your environment. When you click the check box in Microsoft Word to disable its grammar checker, or when you configure WinZip to use Classic Mode, where are those selections stored? More often than not, they're stored as values in the registry. Sometimes they're stored in an INI file. Using GPPs, both INI files and registry settings can be manipulated through the Group Policy Management Editor (GPME).
The hard part is in identifying which registry keys or INI files relate to which settings. Once you check a box, which registry key is changed, which INI file is updated? It is entirely possible to manually scan the registry for changes as you flip switches inside an application's GUI. While many applications store their settings is easily-recognizable locations (with subfolders of HKEY_CURRENT_USERSoftware as a common location), this process grows much more cumbersome when applications don't behave in standard ways.
It is in this activity where tools outside Group Policy can come in handy. Multiple tools are available on the market today to watch the registry and report on changes that occur. One tool in particular that assists and can be obtained for no cost is Scalable Software's freeware WinINSTALL LE, downloadable from http://www.scalable.com. This tool is outwardly designed as a solution to assist with repackaging software for distribution through an automated deployment solution like Microsoft's System Center Configuration Manager or Group Policy Software Installation. But one component of it can also be used as a tool to help identify which registry keys change when settings are changed in an application.
Other tools are specifically designed for registry monitoring and comparison, like Easy Desk Software's Registry Watch at http://www.easydesksoftware.com/Regwatch.htm and DeviceLock's Active Registry Monitor at http://www.devicelock.com/arm/.
"Discovering" Application Config Changes
As an example, let's assume that you want to prevent Adobe Reader from automatically checking for new updates. By preventing this action from occurring, you the administrator can pre-test and determine which updates work with your environment before rolling them out in a controlled fashion.
From within an installation of Adobe Reader, navigating to Edit | Preferences | General brings forward an option marked Check for updates. This box is checked by default, which instructs the application to automatically check for updates at regular intervals. You wish to remove this check box across every installation in your domain to prevent this action from occurring.
Figuring out what part of the registry is changed by altering the check box is one activity where a registry comparison can assist. Using such a tool, a snapshot of the computer can be taken with the check box marked, followed by a second snapshot of the computer after the check box has been cleared. Such a tool will scan the registry and locate the exact registry key and location which changed between the two snapshots. The resulting information can be directly imputed into a GPP with the ultimate result of bringing that configuration under centralized control.
No comments:
Post a Comment